CVE-2026-33033

MEDIUM

Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload

Title source: cna

Description

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Exploits (1)

nomisec WORKING POC

by ch4n3-yoon · poc

https://github.com/ch4n3-yoon/CVE-2026-33033-PoC

View Code ZIP pw:eip

References (3)

[Vendor Advisory] https://docs.djangoproject.com/en/dev/releases/security/

[Mailing List] https://groups.google.com/g/django-announce

[Vendor Advisory] https://www.djangoproject.com/weblog/2026/apr/07/security-releases/

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 12.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-407

Status published

Products (8)

djangoproject/Django 4.2 - 4.2.30

djangoproject/django 4.2 - 4.2.30

djangoproject/Django 4.2.30

djangoproject/Django 5.2 - 5.2.13

djangoproject/Django 5.2.13

djangoproject/Django 6.0 - 6.0.4

djangoproject/Django 6.0.4

pypi/Django 6.0 - 6.0.4PyPI

Published Apr 07, 2026

Tracked Since Apr 07, 2026